Back to Case StudiesManufacturing

Manufacturer Builds a Vendor Risk Program After a Third-Party Scare

Client: A precision manufacturing company (name withheld under NDA)

40+

Vendors assessed in the first review cycle

1

High-risk vendor relationship remediated

90 Days

To a fully documented vendor risk program

The challenge

A breach notification from a key logistics supplier prompted this manufacturer to realize it had no formal process for assessing or monitoring third-party security risk, despite dozens of vendors holding access to its systems and data.

The approach

Eiferone worked with the client's procurement and IT teams to design a tiered vendor risk assessment process, standard security questionnaires, minimum control requirements written into contract templates, and a review cadence based on each vendor's access level and data sensitivity.

What we found

Of the first 40 vendors assessed, one held broad, standing access to internal systems well beyond what its function required, with no contractual security obligations in place at all. That relationship was renegotiated and access scoped down significantly.

The outcome

Within 90 days, the manufacturer had a fully documented, repeatable vendor risk program in place, along with contractual language now standard in new vendor agreements and a monitoring cadence for existing high-risk relationships.

Manufacturer Builds a Vendor Risk Program After a Third-Party Scare | Eiferone